Philippine ISP cooperating with FBI in virus probe

U.S. and Philippine law enforcement officials are working together to track down the source of a potent virus unleashed today, according to an Internet service provider that temporarily hosted files used in the attacks.

Philippine ISP Sky Internet confirmed it had shut down access to virus files that had been placed on their systems earlier today. Network logs indicated that the files had come from another service provider in that country, the company said. Sky Internet is working with the FBI and authorities in the Philippines, said Darwin Bawasanta, a systems development manager at Sky Internet.

"We're trying to verify whether that's really a legitimate connection, or a way to divert attention away from a legitimate perpetrator," he said.

An FBI representative said that the agency "is currently assessing any impact this has had both nationally and internationally."

According to Elias Levy, a security analyst with Security Focus, the link to the Web pages--now removed--was a crucial aspect of the virus' defenses against antivirus measures.

"We've seen this at least once before, where virus has a dynamic
component," he said, "That gives it the capability of changing its behavior in the future. It could have been changed to remove files, make it look for credit cards, or install a network sniffer."

In an analysis provided by Security Focus, Levy explained that the I Love You virus replicates in three different ways: through email attachments, Internet Relay Chat file transfers, and through shared drives on a computer network.

Once the virus has found its way in, it writes itself into three different locations: two under the Windows directory, one under the system directory.

Then it modifies the computer's registry keys, which normally contain configuration
information that tells the computer what programs to launch on start-up. The
worm modifies the registry so that it starts running when the computer is
restarted.

In a step now rendered impotent, the worm modifies the registry key that
determines the start page for Microsoft?s Internet Explorer browser, pointing to one of four Web pages hosted by Sky Internet.

Those four pages linked to an executable called "win-bugsfix.exe." Virus code made the executable run.

The executable then looked up the computer's dial-up connection passwords, and mailed them to an email address in the Philippines.

Next, the executable created an HTML file on the computer's hard drive to
infect other computers connected on IRC. Giving it great and speedy virulence, it next spread to everyone listed in the victim's Windows address book.

In one of the most malicious aspects of the virus, it then went on to overwrite various music and graphics files and rename them .vbs files.

"You can't get those files back easily," said Levy. "You might be able to
recover some. But the virus is not just renaming it. If you're a Web
developer this will give you quite a few headaches."

In one curious exception, Levy noted that the virus goes after MP2 and MP3
files, but only hides them.

"Those files you can recover," he said.

Antivirus experts said they were amazed by the power of the virus. "I've
been doing
antivirus research for the past nine years, and it hasn't been this bad,"
said Mikko Hypponen, a research manager at computer security firm F-Secure, who noted that the
first report received of the virus came in at around 9:00 a.m. GMT (2 a.m.
PT) today from Norway. "It's...twice as
widespread as the Melissa virus."

As corporate network administrators worked to neutralize the threat, a new
version of the virus sprang up with the email header "Joke."

Hypponen, who called the Love virus "destructive," said the most damage
could be to media houses--including radio stations, magazines and
advertising agencies--that could potentially lose photo archives and music files.

"A large publishing house that got hit with the virus this morning lost
their complete photo archives," Hypponen said. "The problem is it
automatically deletes your (image and music) files. (Antivirus upgrades) can
remove the virus but can't undo the damage. If you don't have backups to
your files, you lose."

Several security sites have posted instructions for removing the virus, but
many were not easily accessible, presumably because of heavy traffic. Those
sites include:

One mid-sized Web site reported that the worm wreaked havoc on its computers today, but that the public site was spared the Windows-specific worm because it is served off a Linux computer.

"It was taking any MP3 files and it was making duplicates of itself with a
VBScript extension, and any '.jpg' files on our server were being
transformed to VBScript," said the site's administrator, who did not want
the site identified. "We've got an employee who got nailed heavily, and
every '.jpg' graphic has been converted to a '.vbs' file."

One site heavily dependent on the integrity of its MP3 files--MP3.com--has
apparently weathered the Love bug unscathed. A representative said the
company's information systems administrators sent a warning to employees
about the worm early in the day, and no damage had yet been reported.

Sources said that several government organizations in the Washington, D.C.,
area, including the Pentagon, the Federal Reserve, the Coast Guard and the
Defense Department, were hit by the email virus.

"We certainly have seen scattered instances of it throughout the Defense
Department, but I don't have any overall assessment at this time," said
department
spokeswoman Susan Hansen. "Our joint task force on computer network defense
has this under consideration. I can confirm that, like many other
organizations, we too...have seen this virus."

Last year, the Melissa virus clogged corporate email servers
across the country, causing more than $80 million in damage. A New Jersey
resident, David Smith, was arrested and charged with disseminating the
original Melissa virus.